The entire header configuration (not individual errors) is analyzed for the Web Application Headers risk vector. Refer to the following configuration requirements.
- Requirements for GOOD grade: No misconfigured headers (required or optional) are present.
- Requirements for FAIR grade: No more than 50% distinct misconfigured headers can be present (required and optional)
For HTTP connections, no headers are graded unless Set-Cookie
is defined. The finding grade defaults to NEUTRAL.
See all assessed headers.
Required HTTP 1.1 (HTTPS)
Required HTTP 1.1 (non-HTTPS)
Required HTTP 1.0 (HTTPS)
Required HTTP 1.0 (non-HTTPS)
HTTP Downgrade
The following errors downgrade the response from HTTPS to HTTP:
-
200
responses -
30X
responses -
401
responses
See HTTP downgrade finding messages.
HTTP 1.1 (HTTPS)
Response | Description |
---|---|
200 |
We validate that no hyperlinks in the HTML for the web page downgrade the user inside the site and the domain of the site. We also validate and ensure the HTML of the webpage does not import resources (such as scripts and images) from outside the site using HTTP instead of HTTPS. The finding is graded BAD if these resources are present. |
30x (301 , 302 , 307 ) |
Any HTTPS finding that immediately downgrades the user to an HTTP connection using a redirect is graded as BAD. |
HTTP 1.0 (HTTPS)
Response | Description |
---|---|
200 |
We validate that no hyperlinks in the HTML for the web page downgrade the user inside the site and the domain of the site. We also validate and ensure the HTML of the webpage does not import resources (such as scripts and images) from outside the site using HTTP instead of HTTPS. The finding is graded BAD if these resources are present. |
30x (302 , 307 ) |
Any HTTPS finding that immediately downgrades the user to an HTTP connection using a redirect is graded as BAD. |
- August 16, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.